In 2019, almost identical cyberattacks were launched against two very different targets. The first, Norsk Hydro, was an aluminium supplier. Hundreds of relationships with clients in the building and automotive industries were interrupted almost overnight when a ransomware attack disabled 25,000 of the company’s PCs and up to 4,000 of its servers. Five months later, a similar attack disabled the computer systems at a doctor’s office in California. Dr Shayla Kasel first noticed something was wrong when she attempted to sign into her work computer from a static IP at her home. “The ransomware attack encrypted 20 years of patient medical records,” she recalled, as well as her scheduling system. “I truly had no idea who was going to be coming into the office [the next day.]”
Norsk Hydro and Dr Kasel were two very different victims of the same crime wave that, as a new three-part documentary by Sophos explains, has plunged thousands of businesses into darkness and, sometimes, entire livelihoods. By gaining access to a target company’s servers by exploiting vulnerabilities in APIs, phishing emails or even bribing employees, hackers are able to deploy malware that encrypts critical systems and keeps them locked until a ransom is paid. Companies that haven’t backed up their systems for just such an eventuality then face a choice: either pay the fee in the hope that their data is returned or sit tight and rebuild their defences from the ground up.
As the documentary explains, it’s a criminal formula that has endured since captured knights were sold back to crusading armies and kidnapped children back to worried parents. Somewhat surprisingly, it’s one that’s only been adapted to the pursuit of cybercrime relatively recently with the formation of the first cybercriminal cartels at the end of the 2000s. Their initial impact was devastating but, as these organisations splintered into newer, leaner gangs and ‘ransomware-as-a-service’ made the formula accessible to even those criminals with no training in computer science, what began as a deluge of cyberattacks quickly turned into a tsunami.
“There’s a ransomware attack somewhere in the world every 11 seconds,” says Clare Sullivan, the executive director of Georgetown University’s Cyber Smart Research Centre. “The cost of this – and this is simply the immediate cost of ransomware – is in the order of $20bn over 2021.”
Why, then, target a California doctor’s office? “It’s about degrees of separation,” says Tom Kellerman, head of cybersecurity at VMWare. In many cases, explains Kellerman, hackers will focus on a target because of who they might know, allowing them to leapfrog from victim to victim while reaping ransoms along the way. In other cases, he continues, “the adversary will go after you because you have this new customer that’s a government agency, whether it be state, local or federal. The adversary will target you because you have a partnership with a big bank. As an individual, it’s about who you know.”
In the case of Norsk Hydro, however, the motivation was much simpler. As a linchpin supplier of aluminium for the automotive and building sectors, the attackers likely gambled that the Norwegian conglomerate was more interested in paying the ransom and salvaging its relationship with its clients than holding fast to its principles and denying them cold hard cash. The hackers were wrong.
“Within the corporate emergency team we made a decision to not go into dialogue with the attacker and not to pay any ransom,” recalls Norsk Hydro’s CISO, Torstein Gimnes Are. It took another eight months before the company could resume normal operations. “If you look at the total cost summarised after the 2019 attack, it amounted to 800 million Norwegian kroner [£58.7m].”
But not everyone can afford to take the high road. In the end, Dr Kasel was forced to close her practice and go into early retirement. “And I wasn’t ready to retire,” she tells the documentary makers. “Part of the reason that I’m sharing my story is that I think it’s really important for other physicians to know this is a possibility [and] that this can happen, so they can protect themselves against the bad actors that are out there.”
All three episodes of ‘Think You Know Ransomware?’ can be watched here.